PT-2022-26908 · Jenkins · Jenkins Compuware Xpediter Code Coverage Plugin+1
Published
2022-10-19
·
Updated
2025-05-08
·
CVE-2022-43424
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Compuware Xpediter Code Coverage Plugin versions 1.0.7 and earlier
Jenkins versions 2.318 and earlier, LTS 2.303.2 and earlier
Description
The issue allows attackers able to control agent processes to obtain the values of Java system properties from the Jenkins controller process. This is due to an agent/controller message that does not limit where it can be executed.
Recommendations
For Jenkins Compuware Xpediter Code Coverage Plugin versions 1.0.7 and earlier, update to version 1.0.8 or later, which restricts execution of the agent/controller message to agents.
For Jenkins versions 2.318 and earlier, LTS 2.303.2 and earlier, upgrade to a newer version, following the LTS upgrade guide.
Fix
Protection Mechanism Failure
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Compuware Xpediter Code Coverage Plugin